From ${URL} : christian mock <cm@...etec.at> has reported[1] that Proc::Daemon, when instructed to write a pid file, does that with a umask set to 0, so the pid file ends up with world-writable permissions. Upstream bugreport is at [2]. [1] http://bugs.debian.org/732283 [2] https://rt.cpan.org/Ticket/Display.html?id=91450 Axel Beckert has commited a patch to the Debian packaging[3] and forwarded it to upstream. [3] http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libproc-daemon-perl.git;a=blob;f=debian/patches/pid.patch @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Since upstream has no releases for about two years i'm done revision bump with a patch. Arches, please test and mark stable: dev-perl/Proc-Daemon-0.140.0-r1 target KEYWORDS="amd64 ppc ppc64 x86"
amd64/ppc/ppc64/x86 stable. Cleanup done. @security, please vote.
GLSA vote: no.
GLSA vote: no Closing as noglsa
*** Bug 497406 has been marked as a duplicate of this bug. ***
CVE-2013-7135 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7135): The Proc::Daemon module 0.14 for Perl uses world-writable permissions for a file that stores a process ID, which allows local users to have an unspecified impact by modifying this file.